]>
Commit | Line | Data |
---|---|---|
74a30a58 | 1 | /* SELinux access controls for nscd. |
d4697bc9 | 2 | Copyright (C) 2004-2014 Free Software Foundation, Inc. |
74a30a58 UD |
3 | This file is part of the GNU C Library. |
4 | Contributed by Matthew Rickard <mjricka@epoch.ncsc.mil>, 2004. | |
5 | ||
6 | The GNU C Library is free software; you can redistribute it and/or | |
7 | modify it under the terms of the GNU Lesser General Public | |
8 | License as published by the Free Software Foundation; either | |
9 | version 2.1 of the License, or (at your option) any later version. | |
10 | ||
11 | The GNU C Library is distributed in the hope that it will be useful, | |
12 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 | Lesser General Public License for more details. | |
15 | ||
16 | You should have received a copy of the GNU Lesser General Public | |
59ba27a6 PE |
17 | License along with the GNU C Library; if not, see |
18 | <http://www.gnu.org/licenses/>. */ | |
74a30a58 | 19 | |
ec23b9be | 20 | #include "config.h" |
74a30a58 UD |
21 | #include <error.h> |
22 | #include <errno.h> | |
23 | #include <libintl.h> | |
24 | #include <pthread.h> | |
25 | #include <stdarg.h> | |
26 | #include <stdio.h> | |
27 | #include <stdlib.h> | |
28 | #include <syslog.h> | |
62a8cefb | 29 | #include <unistd.h> |
1f063dca | 30 | #include <sys/prctl.h> |
74a30a58 UD |
31 | #include <selinux/av_permissions.h> |
32 | #include <selinux/avc.h> | |
33 | #include <selinux/flask.h> | |
34 | #include <selinux/selinux.h> | |
ec23b9be | 35 | #ifdef HAVE_LIBAUDIT |
1f063dca | 36 | # include <libaudit.h> |
ec23b9be | 37 | #endif |
74a30a58 UD |
38 | |
39 | #include "dbg_log.h" | |
40 | #include "selinux.h" | |
41 | ||
42 | ||
43 | #ifdef HAVE_SELINUX | |
44 | /* Global variable to tell if the kernel has SELinux support. */ | |
45 | int selinux_enabled; | |
46 | ||
47 | /* Define mappings of access vector permissions to request types. */ | |
684ae515 | 48 | static const access_vector_t perms[LASTREQ] = |
74a30a58 UD |
49 | { |
50 | [GETPWBYNAME] = NSCD__GETPWD, | |
51 | [GETPWBYUID] = NSCD__GETPWD, | |
52 | [GETGRBYNAME] = NSCD__GETGRP, | |
53 | [GETGRBYGID] = NSCD__GETGRP, | |
54 | [GETHOSTBYNAME] = NSCD__GETHOST, | |
55 | [GETHOSTBYNAMEv6] = NSCD__GETHOST, | |
56 | [GETHOSTBYADDR] = NSCD__GETHOST, | |
57 | [GETHOSTBYADDRv6] = NSCD__GETHOST, | |
58 | [GETSTAT] = NSCD__GETSTAT, | |
59 | [SHUTDOWN] = NSCD__ADMIN, | |
60 | [INVALIDATE] = NSCD__ADMIN, | |
61 | [GETFDPW] = NSCD__SHMEMPWD, | |
62 | [GETFDGR] = NSCD__SHMEMGRP, | |
63 | [GETFDHST] = NSCD__SHMEMHOST, | |
f7e7a396 | 64 | [GETAI] = NSCD__GETHOST, |
b21fa963 UD |
65 | [INITGROUPS] = NSCD__GETGRP, |
66 | #ifdef NSCD__GETSERV | |
67 | [GETSERVBYNAME] = NSCD__GETSERV, | |
68 | [GETSERVBYPORT] = NSCD__GETSERV, | |
69 | [GETFDSERV] = NSCD__SHMEMSERV, | |
70 | #endif | |
684ae515 UD |
71 | #ifdef NSCD__GETNETGRP |
72 | [GETNETGRENT] = NSCD__GETNETGRP, | |
73 | [INNETGR] = NSCD__GETNETGRP, | |
74 | [GETFDNETGR] = NSCD__SHMEMNETGRP, | |
75 | #endif | |
74a30a58 UD |
76 | }; |
77 | ||
78 | /* Store an entry ref to speed AVC decisions. */ | |
79 | static struct avc_entry_ref aeref; | |
80 | ||
81 | /* Thread to listen for SELinux status changes via netlink. */ | |
82 | static pthread_t avc_notify_thread; | |
83 | ||
ec23b9be UD |
84 | #ifdef HAVE_LIBAUDIT |
85 | /* Prototype for supporting the audit daemon */ | |
86 | static void log_callback (const char *fmt, ...); | |
87 | #endif | |
88 | ||
74a30a58 UD |
89 | /* Prototypes for AVC callback functions. */ |
90 | static void *avc_create_thread (void (*run) (void)); | |
91 | static void avc_stop_thread (void *thread); | |
92 | static void *avc_alloc_lock (void); | |
93 | static void avc_get_lock (void *lock); | |
94 | static void avc_release_lock (void *lock); | |
95 | static void avc_free_lock (void *lock); | |
96 | ||
97 | /* AVC callback structures for use in avc_init. */ | |
98 | static const struct avc_log_callback log_cb = | |
99 | { | |
ec23b9be UD |
100 | #ifdef HAVE_LIBAUDIT |
101 | .func_log = log_callback, | |
102 | #else | |
74a30a58 | 103 | .func_log = dbg_log, |
ec23b9be | 104 | #endif |
74a30a58 UD |
105 | .func_audit = NULL |
106 | }; | |
107 | static const struct avc_thread_callback thread_cb = | |
108 | { | |
109 | .func_create_thread = avc_create_thread, | |
110 | .func_stop_thread = avc_stop_thread | |
111 | }; | |
112 | static const struct avc_lock_callback lock_cb = | |
113 | { | |
114 | .func_alloc_lock = avc_alloc_lock, | |
115 | .func_get_lock = avc_get_lock, | |
116 | .func_release_lock = avc_release_lock, | |
117 | .func_free_lock = avc_free_lock | |
118 | }; | |
119 | ||
ec23b9be UD |
120 | #ifdef HAVE_LIBAUDIT |
121 | /* The audit system's netlink socket descriptor */ | |
122 | static int audit_fd = -1; | |
123 | ||
124 | /* When an avc denial occurs, log it to audit system */ | |
64d64de6 | 125 | static void |
ec23b9be UD |
126 | log_callback (const char *fmt, ...) |
127 | { | |
62a8cefb UD |
128 | if (audit_fd >= 0) |
129 | { | |
130 | va_list ap; | |
131 | va_start (ap, fmt); | |
132 | ||
133 | char *buf; | |
134 | int e = vasprintf (&buf, fmt, ap); | |
135 | if (e < 0) | |
136 | { | |
137 | buf = alloca (BUFSIZ); | |
138 | vsnprintf (buf, BUFSIZ, fmt, ap); | |
139 | } | |
140 | ||
141 | /* FIXME: need to attribute this to real user, using getuid for now */ | |
142 | audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, | |
143 | NULL, getuid ()); | |
ec23b9be | 144 | |
62a8cefb UD |
145 | if (e >= 0) |
146 | free (buf); | |
147 | ||
148 | va_end (ap); | |
149 | } | |
ec23b9be UD |
150 | } |
151 | ||
152 | /* Initialize the connection to the audit system */ | |
64d64de6 | 153 | static void |
ec23b9be UD |
154 | audit_init (void) |
155 | { | |
156 | audit_fd = audit_open (); | |
62a8cefb UD |
157 | if (audit_fd < 0 |
158 | /* If kernel doesn't support audit, bail out */ | |
159 | && errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) | |
9b07a801 | 160 | dbg_log (_("Failed opening connection to the audit subsystem: %m")); |
ec23b9be | 161 | } |
1f063dca UD |
162 | |
163 | ||
164 | # ifdef HAVE_LIBCAP | |
165 | static const cap_value_t new_cap_list[] = | |
166 | { CAP_AUDIT_WRITE }; | |
167 | # define nnew_cap_list (sizeof (new_cap_list) / sizeof (new_cap_list[0])) | |
168 | static const cap_value_t tmp_cap_list[] = | |
169 | { CAP_AUDIT_WRITE, CAP_SETUID, CAP_SETGID }; | |
170 | # define ntmp_cap_list (sizeof (tmp_cap_list) / sizeof (tmp_cap_list[0])) | |
171 | ||
172 | cap_t | |
173 | preserve_capabilities (void) | |
174 | { | |
175 | if (getuid () != 0) | |
176 | /* Not root, then we cannot preserve anything. */ | |
177 | return NULL; | |
178 | ||
179 | if (prctl (PR_SET_KEEPCAPS, 1) == -1) | |
180 | { | |
181 | dbg_log (_("Failed to set keep-capabilities")); | |
182 | error (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed")); | |
183 | /* NOTREACHED */ | |
184 | } | |
185 | ||
186 | cap_t tmp_caps = cap_init (); | |
9d9febc7 | 187 | cap_t new_caps = NULL; |
1f063dca UD |
188 | if (tmp_caps != NULL) |
189 | new_caps = cap_init (); | |
190 | ||
191 | if (tmp_caps == NULL || new_caps == NULL) | |
192 | { | |
193 | if (tmp_caps != NULL) | |
e1f0c5bc | 194 | cap_free (tmp_caps); |
1f063dca UD |
195 | |
196 | dbg_log (_("Failed to initialize drop of capabilities")); | |
197 | error (EXIT_FAILURE, 0, _("cap_init failed")); | |
198 | } | |
199 | ||
200 | /* There is no reason why these should not work. */ | |
e1f0c5bc UD |
201 | cap_set_flag (new_caps, CAP_PERMITTED, nnew_cap_list, |
202 | (cap_value_t *) new_cap_list, CAP_SET); | |
203 | cap_set_flag (new_caps, CAP_EFFECTIVE, nnew_cap_list, | |
204 | (cap_value_t *) new_cap_list, CAP_SET); | |
205 | ||
206 | cap_set_flag (tmp_caps, CAP_PERMITTED, ntmp_cap_list, | |
207 | (cap_value_t *) tmp_cap_list, CAP_SET); | |
208 | cap_set_flag (tmp_caps, CAP_EFFECTIVE, ntmp_cap_list, | |
209 | (cap_value_t *) tmp_cap_list, CAP_SET); | |
1f063dca UD |
210 | |
211 | int res = cap_set_proc (tmp_caps); | |
212 | ||
213 | cap_free (tmp_caps); | |
214 | ||
a1ffb40e | 215 | if (__glibc_unlikely (res != 0)) |
1f063dca UD |
216 | { |
217 | cap_free (new_caps); | |
11bf311e | 218 | dbg_log (_("Failed to drop capabilities")); |
1f063dca UD |
219 | error (EXIT_FAILURE, 0, _("cap_set_proc failed")); |
220 | } | |
221 | ||
222 | return new_caps; | |
223 | } | |
224 | ||
225 | void | |
226 | install_real_capabilities (cap_t new_caps) | |
227 | { | |
228 | /* If we have no capabilities there is nothing to do here. */ | |
229 | if (new_caps == NULL) | |
230 | return; | |
231 | ||
232 | if (cap_set_proc (new_caps)) | |
233 | { | |
234 | cap_free (new_caps); | |
235 | dbg_log (_("Failed to drop capabilities")); | |
236 | error (EXIT_FAILURE, 0, _("cap_set_proc failed")); | |
237 | /* NOTREACHED */ | |
238 | } | |
239 | ||
240 | cap_free (new_caps); | |
241 | ||
242 | if (prctl (PR_SET_KEEPCAPS, 0) == -1) | |
243 | { | |
244 | dbg_log (_("Failed to unset keep-capabilities")); | |
245 | error (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed")); | |
246 | /* NOTREACHED */ | |
247 | } | |
248 | } | |
249 | # endif /* HAVE_LIBCAP */ | |
ec23b9be | 250 | #endif /* HAVE_LIBAUDIT */ |
74a30a58 UD |
251 | |
252 | /* Determine if we are running on an SELinux kernel. Set selinux_enabled | |
253 | to the result. */ | |
254 | void | |
255 | nscd_selinux_enabled (int *selinux_enabled) | |
256 | { | |
257 | *selinux_enabled = is_selinux_enabled (); | |
258 | if (*selinux_enabled < 0) | |
259 | { | |
260 | dbg_log (_("Failed to determine if kernel supports SELinux")); | |
261 | exit (EXIT_FAILURE); | |
262 | } | |
263 | } | |
264 | ||
265 | ||
266 | /* Create thread for AVC netlink notification. */ | |
267 | static void * | |
268 | avc_create_thread (void (*run) (void)) | |
269 | { | |
270 | int rc; | |
271 | ||
272 | rc = | |
273 | pthread_create (&avc_notify_thread, NULL, (void *(*) (void *)) run, NULL); | |
274 | if (rc != 0) | |
275 | error (EXIT_FAILURE, rc, _("Failed to start AVC thread")); | |
276 | ||
277 | return &avc_notify_thread; | |
278 | } | |
279 | ||
280 | ||
281 | /* Stop AVC netlink thread. */ | |
282 | static void | |
283 | avc_stop_thread (void *thread) | |
284 | { | |
285 | pthread_cancel (*(pthread_t *) thread); | |
286 | } | |
287 | ||
288 | ||
289 | /* Allocate a new AVC lock. */ | |
290 | static void * | |
291 | avc_alloc_lock (void) | |
292 | { | |
293 | pthread_mutex_t *avc_mutex; | |
294 | ||
295 | avc_mutex = malloc (sizeof (pthread_mutex_t)); | |
296 | if (avc_mutex == NULL) | |
297 | error (EXIT_FAILURE, errno, _("Failed to create AVC lock")); | |
298 | pthread_mutex_init (avc_mutex, NULL); | |
299 | ||
300 | return avc_mutex; | |
301 | } | |
302 | ||
303 | ||
304 | /* Acquire an AVC lock. */ | |
305 | static void | |
306 | avc_get_lock (void *lock) | |
307 | { | |
308 | pthread_mutex_lock (lock); | |
309 | } | |
310 | ||
311 | ||
312 | /* Release an AVC lock. */ | |
313 | static void | |
314 | avc_release_lock (void *lock) | |
315 | { | |
316 | pthread_mutex_unlock (lock); | |
317 | } | |
318 | ||
319 | ||
320 | /* Free an AVC lock. */ | |
321 | static void | |
322 | avc_free_lock (void *lock) | |
323 | { | |
324 | pthread_mutex_destroy (lock); | |
325 | free (lock); | |
326 | } | |
327 | ||
328 | ||
329 | /* Initialize the user space access vector cache (AVC) for NSCD along with | |
330 | log/thread/lock callbacks. */ | |
331 | void | |
332 | nscd_avc_init (void) | |
333 | { | |
334 | avc_entry_ref_init (&aeref); | |
335 | ||
336 | if (avc_init ("avc", NULL, &log_cb, &thread_cb, &lock_cb) < 0) | |
337 | error (EXIT_FAILURE, errno, _("Failed to start AVC")); | |
338 | else | |
339 | dbg_log (_("Access Vector Cache (AVC) started")); | |
ec23b9be UD |
340 | #ifdef HAVE_LIBAUDIT |
341 | audit_init (); | |
342 | #endif | |
74a30a58 UD |
343 | } |
344 | ||
345 | ||
346 | /* Check the permission from the caller (via getpeercon) to nscd. | |
347 | Returns 0 if access is allowed, 1 if denied, and -1 on error. */ | |
348 | int | |
349 | nscd_request_avc_has_perm (int fd, request_type req) | |
350 | { | |
351 | /* Initialize to NULL so we know what to free in case of failure. */ | |
352 | security_context_t scon = NULL; | |
353 | security_context_t tcon = NULL; | |
354 | security_id_t ssid = NULL; | |
355 | security_id_t tsid = NULL; | |
356 | int rc = -1; | |
357 | ||
358 | if (getpeercon (fd, &scon) < 0) | |
359 | { | |
360 | dbg_log (_("Error getting context of socket peer")); | |
361 | goto out; | |
362 | } | |
363 | if (getcon (&tcon) < 0) | |
364 | { | |
365 | dbg_log (_("Error getting context of nscd")); | |
366 | goto out; | |
367 | } | |
1945c96f UD |
368 | if (avc_context_to_sid (scon, &ssid) < 0 |
369 | || avc_context_to_sid (tcon, &tsid) < 0) | |
74a30a58 UD |
370 | { |
371 | dbg_log (_("Error getting sid from context")); | |
372 | goto out; | |
373 | } | |
374 | ||
7fe4e0e8 UD |
375 | #ifndef NSCD__GETSERV |
376 | if (perms[req] == 0) | |
377 | { | |
378 | dbg_log (_("compile-time support for database policy missing")); | |
379 | goto out; | |
380 | } | |
381 | #endif | |
382 | ||
74a30a58 UD |
383 | rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0; |
384 | ||
385 | out: | |
386 | if (scon) | |
387 | freecon (scon); | |
388 | if (tcon) | |
389 | freecon (tcon); | |
390 | if (ssid) | |
391 | sidput (ssid); | |
392 | if (tsid) | |
393 | sidput (tsid); | |
394 | ||
395 | return rc; | |
396 | } | |
397 | ||
398 | ||
399 | /* Wrapper to get AVC statistics. */ | |
400 | void | |
401 | nscd_avc_cache_stats (struct avc_cache_stats *cstats) | |
402 | { | |
403 | avc_cache_stats (cstats); | |
404 | } | |
405 | ||
406 | ||
407 | /* Print the AVC statistics to stdout. */ | |
408 | void | |
409 | nscd_avc_print_stats (struct avc_cache_stats *cstats) | |
410 | { | |
411 | printf (_("\nSELinux AVC Statistics:\n\n" | |
412 | "%15u entry lookups\n" | |
413 | "%15u entry hits\n" | |
414 | "%15u entry misses\n" | |
415 | "%15u entry discards\n" | |
416 | "%15u CAV lookups\n" | |
417 | "%15u CAV hits\n" | |
418 | "%15u CAV probes\n" | |
419 | "%15u CAV misses\n"), | |
420 | cstats->entry_lookups, cstats->entry_hits, cstats->entry_misses, | |
421 | cstats->entry_discards, cstats->cav_lookups, cstats->cav_hits, | |
422 | cstats->cav_probes, cstats->cav_misses); | |
423 | } | |
424 | ||
74a30a58 | 425 | #endif /* HAVE_SELINUX */ |